Best practice rules for Amazon Elastic Kubernetes Service (EKS)
- Check for the CoreDNS Add-On Version
Ensure that the CoreDNS add-on version matches the EKS cluster's Kubernetes version.
- Disable Remote Access to EKS Cluster Node Groups
Ensure that remote access to EKS cluster node groups is disabled.
- EKS Cluster Endpoint Public Access
Ensure that AWS EKS cluster endpoint access isn't public and prone to security risks.
- EKS Cluster Node Group IAM Role Policies
Ensure that EKS Cluster node groups are using appropriate permissions.
- EKS Security Groups
Ensure that AWS EKS security groups are configured to allow incoming traffic only on TCP port 443.
- Enable CloudTrail Logging for Kubernetes API Calls
Ensure that all Kubernetes API calls are logged using Amazon CloudTrail.
- Enable Envelope Encryption for EKS Kubernetes Secrets
Ensure that envelope encryption of Kubernetes secrets using Amazon KMS is enabled.
- Kubernetes Cluster Logging
Ensure that EKS control plane logging is enabled for your Amazon EKS clusters.
- Kubernetes Cluster Version
Ensure that the latest version of Kubernetes is installed on your Amazon EKS clusters.
- Monitor Amazon EKS Configuration Changes
Amazon EKS configuration changes have been detected within your Amazon Web Services account.
- Use AWS-managed policy to Manage Networking Resources
Ensure that EKS cluster node groups implement the "AmazonEKS_CNI_Policy" managed policy.
- Use AWS-managed policy to access Amazon ECR Repositories
Ensure that EKS cluster node groups implement the "AmazonEC2ContainerRegistryReadOnly" managed policy.
- Use AWS-managed policy to manage AWS resources
Ensure that Amazon EKS clusters implement the "AmazonEKSClusterPolicy" managed policy.
- Use OIDC Provider for Authenticating Kubernetes API Calls
Ensure that Amazon EKS clusters are using an OpenID Connect (OIDC) provider.